Closed Bug 308579 Opened 19 years ago Closed 19 years ago

Null dereference [@ nsFontMetricsWin::ResolveForwards]

Categories

(Firefox :: General, defect)

Product:
Firefox
Component:
General
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
VERIFIED DUPLICATE of bug 307875

People

(Reporter: dveditz, Unassigned)

References

(
URL
)

Details

(Keywords: crash, testcase)

Crash Data

Attachments

(1 file)

deerpark-death.html
231 bytes, text/html
Details 
Tom Ferris posted a new crasher on his site,
http://security-protocols.com/advisory/sp-x18-advisory.txt

The testcase is superficially similar to heap buffer overflow bug 307259, but it
does not appear to be the same crash at all. bug 307259 was very definitely in
the IDN processing, and this crash happens regardless of whether IDN is
disabled. bug 307259 lead to random crashes as various corrupted heap objects
were used, this bug always crashes at the same spot with a null dereference.

1.5beta1: TB9353293, TB9353326
1.5+307259 patch: TB9358875, TB9353546, TB9353492

crashes here:
http://bonsai.mozilla.org/cvsblame.cgi?file=/mozilla/gfx/src/windows/nsFontMetricsWin.cpp&mark=4008&rev=MOZILLA_1_8_BRANCH#4008

nsFontMetricsWin::ResolveForwards 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/gfx/src/windows/nsFontMetricsWin.cpp,
line 4008]
nsRenderingContextWin::GetWidth 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/gfx/src/windows/nsRenderingContextWin.cpp,
line 1514]
nsTextFrame::GetPointFromOffset 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsTextFrame.cpp,
line 4219]
nsTypedSelection::GetPointFromOffset 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsSelection.cpp,
line 6747]
nsTypedSelection::GetCachedFrameOffset 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/generic/nsSelection.cpp,
line 5090]
nsCaret::GetCaretRectAndInvert 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCaret.cpp,
line 994]
nsCaret::DrawAtPositionWithHint 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCaret.cpp,
line 710]
nsCaret::DrawCaret 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCaret.cpp,
line 914]
nsCaret::StartBlinking 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsCaret.cpp,
line 482]
PresShellViewEventListener::DidRefreshRect 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/layout/base/nsPresShell.cpp,
line 7883]
nsViewManager::DispatchEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsViewManager.cpp,
line 2047]
HandleEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/view/src/nsView.cpp,
line 174]
nsWindow::DispatchEvent 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1252]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4362]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1434]
USER32.dll + 0x8744 (0x77d48744)
USER32.dll + 0x8826 (0x77d48826)
USER32.dll + 0xb4d0 (0x77d4b4d0)
USER32.dll + 0xb51c (0x77d4b51c)
ntdll.dll + 0xeae3 (0x7c90eae3)
nsWindow::DispatchStarvedPaints 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4182]
USER32.dll + 0xda67 (0x77d4da67)
nsWindow::DispatchPendingEvents 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4220]
nsWindow::ProcessMessage 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 4627]
nsWindow::WindowProc 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsWindow.cpp,
line 1434]
USER32.dll + 0x8744 (0x77d48744)
USER32.dll + 0x8826 (0x77d48826)
USER32.dll + 0x89dd (0x77d489dd)
USER32.dll + 0x8a20 (0x77d48a20)
nsAppShell::Run 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/widget/src/windows/nsAppShell.cpp,
line 159]
nsAppStartup::Run 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/toolkit/components/startup/src/nsAppStartup.cpp,
line 146]
main 
[c:/builds/tinderbox/Fx-Mozilla1.8/WINNT_5.2_Depend/mozilla/browser/app/nsBrowserApp.cpp,
line 61]
kernel32.dll + 0x16d4f (0x7c816d4f
Attached file deerpark-death.html 

    
  

        Attachment #196089 -
        Attachment filename: deerpark-death.html → deerpark-death.html (save locally, or load from original advisory)

    
    

    
  

*** This bug has been marked as a duplicate of 307875 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE

    
  
Status: RESOLVED → VERIFIED
Crash Signature: [@ nsFontMetricsWin::ResolveForwards]

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: